Tanuki

The hint we got today was can you update another user's profile?

So with that hint in our pocket, I obviously went straight to the profile page.

The update password was probably the thing I needed to update. But when I came to the actual request, I panicked for a split second.

I expected that in the JSON content, there would be an identifier like user_id or something like that. I did noticed the /shadow on top, so because there was nothing to tamper with inside the JSON, I tried changing shadow to admin

And just like that I updated the admin's password and got my flag 🇧🇪